Bug 2368956 (CVE-2025-48734)

Summary: CVE-2025-48734 commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abrianik, adupliak, anthomas, aprice, aschwart, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, carogers, caswilli, ccranfor, cdewolf, chfoley, cmah, cmiranda, csutherl, darran.lofthouse, dbruscin, dhanak, dkreling, dnakabaa, dosoudil, drosa, dsoumis, eaguilar, ebaron, ehelms, erezende, eric.wittmann, fjuma, fmariani, fmongiar, ggainey, ggrzybek, gmalinko, gtanzill, haoli, hkataria, ibek, istudens, ivassile, iweiss, jajackso, janstey, jbuscemi, jcammara, jcantril, jclere, jmitchel, jneedle, jnethert, joehler, jolong, jpechane, jpoth, jrokos, jsamir, juwatts, kaycoth, kegrant, kholdawa, koliveir, kshier, kvanderr, kverlaen, lcouzens, lgao, mabashia, mhulan, mnovotny, mosmerov, mposolda, mskarbek, msochure, msvehla, nipatil, nmoumoul, nwallace, oezr, osousa, pantinor, parichar, pberan, pbizzarr, pbohmill, pbraun, pcongius, pcreech, pdelbell, periklis, pesilva, pjindal, plodge, pmackay, porcelli, rchan, rguimara, rkieley, rkubis, rmartinc, rmaucher, rojacob, rstancel, rstepani, sausingh, sfroberg, shvarugh, simaishi, smaestri, smallamp, smcdonal, ssilvert, stcannon, sthorger, swoodman, szappis, tasato, tcunning, teagle, tfister, thavo, tmalecek, tom.jenkinson, vmuzikar, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Apache Commons BeanUtils. This vulnerability allows remote attackers to execute arbitrary code via uncontrolled access to the declaredClass property on Java enum objects, which can expose the class loader when property paths are passed from external sources to methods like getProperty() or getNestedProperty().
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2369094, 2369088, 2369089, 2369090, 2369091, 2369092, 2369093, 2369095    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-28 14:01:19 UTC 
Improper Access Control vulnerability in Apache Commons.



A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.





Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.

This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils

 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.


Users of the artifact org.apache.commons:commons-beanutils2

 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Comment 2 errata-xmlrpc 2025-06-05 02:19:47 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:8265 https://access.redhat.com/errata/RHSA-2025:8265
Comment 3 errata-xmlrpc 2025-06-11 15:34:12 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.10 for Quarkus 3.20

Via RHSA-2025:8919 https://access.redhat.com/errata/RHSA-2025:8919
Comment 4 errata-xmlrpc 2025-06-16 14:56:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:9114 https://access.redhat.com/errata/RHSA-2025:9114
Comment 5 errata-xmlrpc 2025-06-16 15:02:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2025:9115 https://access.redhat.com/errata/RHSA-2025:9115
Comment 6 errata-xmlrpc 2025-06-16 15:04:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4.22

Via RHSA-2025:9117 https://access.redhat.com/errata/RHSA-2025:9117
Comment 8 errata-xmlrpc 2025-06-17 09:05:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:9166 https://access.redhat.com/errata/RHSA-2025:9166
Comment 9 errata-xmlrpc 2025-06-23 03:30:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:9318 https://access.redhat.com/errata/RHSA-2025:9318
Comment 12 errata-xmlrpc 2025-06-25 19:28:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:9696 https://access.redhat.com/errata/RHSA-2025:9696
Comment 13 errata-xmlrpc 2025-06-25 19:47:46 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7

Via RHSA-2025:9697 https://access.redhat.com/errata/RHSA-2025:9697
Comment 14 errata-xmlrpc 2025-06-30 13:17:17 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.1

Via RHSA-2025:9922 https://access.redhat.com/errata/RHSA-2025:9922
Comment 15 errata-xmlrpc 2025-07-07 13:25:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2025:10453 https://access.redhat.com/errata/RHSA-2025:10453
Comment 16 errata-xmlrpc 2025-07-07 13:30:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2025:10452 https://access.redhat.com/errata/RHSA-2025:10452
Comment 17 errata-xmlrpc 2025-07-07 13:35:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0.8

Via RHSA-2025:10459 https://access.redhat.com/errata/RHSA-2025:10459
Comment 18 errata-xmlrpc 2025-07-10 16:17:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:10814 https://access.redhat.com/errata/RHSA-2025:10814
Comment 19 errata-xmlrpc 2025-07-14 15:54:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2025:10926 https://access.redhat.com/errata/RHSA-2025:10926
Comment 20 errata-xmlrpc 2025-07-14 15:55:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2025:10925 https://access.redhat.com/errata/RHSA-2025:10925
Comment 21 errata-xmlrpc 2025-07-14 15:55:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2025:10924 https://access.redhat.com/errata/RHSA-2025:10924
Comment 22 errata-xmlrpc 2025-07-14 16:21:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4.23

Via RHSA-2025:10931 https://access.redhat.com/errata/RHSA-2025:10931
Comment 23 errata-xmlrpc 2025-08-01 17:43:19 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.0.0

Via RHSA-2025:12511 https://access.redhat.com/errata/RHSA-2025:12511
Comment 24 errata-xmlrpc 2025-08-06 16:17:46 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.13.1

Via RHSA-2025:13274 https://access.redhat.com/errata/RHSA-2025:13274
Comment 26 errata-xmlrpc 2025-09-15 14:41:50 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.18-RHEL-9

Via RHSA-2025:15810 https://access.redhat.com/errata/RHSA-2025:15810
Comment 27 errata-xmlrpc 2025-09-15 14:42:18 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.12-RHEL-8

Via RHSA-2025:15813 https://access.redhat.com/errata/RHSA-2025:15813
Comment 28 errata-xmlrpc 2025-09-15 14:42:47 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.13-RHEL-8

Via RHSA-2025:15815 https://access.redhat.com/errata/RHSA-2025:15815
Comment 29 errata-xmlrpc 2025-09-15 15:01:33 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.16-RHEL-9

Via RHSA-2025:15811 https://access.redhat.com/errata/RHSA-2025:15811
Comment 30 errata-xmlrpc 2025-09-15 15:01:52 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.19-RHEL-9

Via RHSA-2025:15812 https://access.redhat.com/errata/RHSA-2025:15812
Comment 31 errata-xmlrpc 2025-09-15 15:02:50 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.14-RHEL-8

Via RHSA-2025:15816 https://access.redhat.com/errata/RHSA-2025:15816
Comment 32 errata-xmlrpc 2025-09-15 15:02:53 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.15-RHEL-8

Via RHSA-2025:15817 https://access.redhat.com/errata/RHSA-2025:15817
Comment 33 errata-xmlrpc 2025-09-15 15:07:14 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.17-RHEL-9

Via RHSA-2025:15814 https://access.redhat.com/errata/RHSA-2025:15814
Comment 36 errata-xmlrpc 2025-09-22 23:39:39 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.12.5

Via RHSA-2025:16409 https://access.redhat.com/errata/RHSA-2025:16409
Comment 37 errata-xmlrpc 2025-09-25 00:07:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7

Via RHSA-2025:16668 https://access.redhat.com/errata/RHSA-2025:16668
Comment 38 errata-xmlrpc 2025-09-25 00:08:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7

Via RHSA-2025:16667 https://access.redhat.com/errata/RHSA-2025:16667
Comment 39 errata-xmlrpc 2025-10-23 22:32:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7

Via RHSA-2025:10931 https://access.redhat.com/errata/RHSA-2025:10931
Comment 40 errata-xmlrpc 2025-10-23 22:32:41 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7

Via RHSA-2025:9117 https://access.redhat.com/errata/RHSA-2025:9117